MNGI Digestive Health consented to resolve a class action lawsuit associated with its negligence for not securing sensitive patient data. The lawsuit is a result of a ransomware attack on the Minnesota gastroenterology practice by the ALPHV/Blackcat ransomware group in 2023.
MNGI Digestive Health discovered the cyberattack on August 25, 2024. Based on forensic investigation results, the initial breach of its network occurred on August 20, 2024. MNGI Digestive Health stated the incident resulted in the breached of data including names, medical data, medical insurance data, birth dates, patient account numbers, taxpayer ID numbers, financial account data, passport numbers, state ID or driver’s license numbers, payment card details, usernames and passwords, Social Security numbers, and biometric information. The breach report submitted to the HHS Office for Civil Rights indicated that 767,670 individuals were impacted.
MNGI Digestive Health faced multiple class action lawsuits because of the data breach. However, the lawsuits were combined into one action – In Re MNGI Digestive Health, P.A., filed in the Minnesota District Court for Hennepin County. The plaintiffs claimed MNGI Digestive Health did not employ acceptable and proper cybersecurity measures. If it had implemented those cybersecurity measures, it could have avoided the data breach and the HIPAA violation. Besides negligence, the plaintiffs stated claims of negligence per se, breach of fiduciary duty, unjust enrichment, breach of implied contract, and violations of the Minnesota Uniform Deceptive Trade Practices Act, Minnesota Consumer Fraud Act, and Minnesota Health Records Act.
MNGI Digestive Health remarks that it did no wrongdoing and rejects liability and all claims and allegations in the lawsuit. Nevertheless, it agreed to resolve the lawsuit to steer clear of the expenditures, risks, and concerns of ongoing litigation. All parties have accepted the settlement, and the court has given it preliminary approval. According to the terms of settlement, class members could file a claim for documented, unreimbursed fees, expenditures, and losses reasonably trackable to the data breach up to $10,000 per class member. Class members will also receive two years of Medical Monitoring, or tracking of their personal healthcare data for breaches and healthcare fraud.
All class members could likewise claim a cash payment, regardless of whether they submitted a claim to reimburse losses. Pro rata cash payments will be given to class members after deducting all legal fees, expenditures, attorneys’ fees, claims, class representative awards, and Medical Monitoring expenses from the settlement fund worth $2,838,749.62.
The last day for exemption from or objection to the settlement is August 05, 2025. The last day to submit a claim is September 04, 2025. The schedule of the final fairness hearing is September 04, 2025.
Image credit: fAIth Photography, AdobeStock / logo©MNGI